Evernote hacked, millions affected

50 million users asked to reset passwords

March 4, 2013

Questions remain for 50 million users of Evernote, a Web and app-based digital note-book and archiving service, after the network was hacked. In a blog post, Evernote’s chief technology officer, Dave Engberg, explained that user names and email addresses had been accessed along with encrypted password information

Evernote said that no user content or personal notes were accessed, users are asked to change their passwords. Even with the enforced password reset, Engberg pointed out that data was still in a protected format:

“Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, that are hashed and salted)” he said. The global password reset representing “an abundance of caution” rather than an immediate threat to user security.

According to Sophos Security analyst Graham Cluley, it remains unclear how long the hackers had access to Evernote or how they managed to get in. He writes in a blog post “it’s another cautionary tale about the risk which can exist with trusting the cloud to look after your personal information."

Many services, such as Evernote, store data on remote servers instead of the user’s computer, which allows them to be accessed from multiple computers and other devices. Cluley says “it’s another cautionary tale about the risks which can exist with trusting the cloud to look after your personal information.”

Evernote states that it was “constantly enhancing the security of our service infrastructure to protect Evernote and your content”. Evernote’s monitoring reportedly found no evidence that payment informant for users of the business or premium services was tampered with.

ABC news reports the incident was the latest in a string of other security breaches. They report that in February, Twitter announced that 250,000 accounts were compromised. Facebook and Apple were also targets of hackers.